I tried to build the replica like I did the past couple of weeks and ran into an error with the git checkout of the commit referenced in the proposal. I had the same issue for proposal 103231 that Dfinity executed earlier today. I’m not having trouble repeating the replica build from last week. Do you know why I would have a problem with the git checkout and do you have recommendations for alternate solutions? I provided more info in a post on DSCVR, which shows the error.
Yes, I was able to perform the complete build. My initial attempts were to use docker and Ubuntu on WSL2 (windows subsystem for Linux), but this didn’t work. I had to install VirtualBox and use a virtual machine running Linux Ubuntu and docker. That installation works perfectly. I provided more explicit instructions on how I built my builder in a comment on this post on DSCVR.
Hehe, it’s so nice to that community is actively participating and helping to maintain and improve the security.
So what happened is that on Friday we had a security update, and to finish this in the most secure way, we disabled the sync from the private IC repo (in which the CI builds tests) to the public IC repo on github, from which the community gets the source code, etc. As noted in the other thread, the sync has just been re-enabled so pulling changes should again work as expected. Please let me know if you still have issues.
Regarding WSL2 + docker + Ubuntu, maybe @marko has an idea what could be wrong with the setup?
@Samer, currently we don’t support building IC artifacts on WSL2. It’s best that you use Ubuntu 20.04 or Ubuntu 22.04 installed on some bare-metal server or public cloud VM instance.
As part of the key rotation feature we started attaching timestamps to public keys generated by the nodes. E.g. in threshold ECDSA, the registry uses a timestamp to keep track of the registration of a key. This is used by the registry to check if it is time for nodes to rotate their keys. Recently we also allowed nodes to record locally when they generated their keys, this could be used, e.g., to raise an alert in case they are not able to register a key for a prolonged period of time.
Regarding the MR. Node keys are stored in the Crypto Service Provider (CSP), and specifically in the CSP Vault which runs in a dedicated process and performs all operations with secret keys. Since keys are only accessible within the vault, this MR introduces an API to let the rest of the replica (specifically the part of the crypto component running in the replica process) to access the key generation timestamp of some public keys. This could be then used to report some metrics about the age of the node keys.
@Samer, @wpb, we’ve recently switched to using podman instead of docker so our build scripts have changed a bit. If you look this README, you can see that now IC-OS image is build with ./gitlab-ci/container/build-ic -i. My colleague tested this on Windows in WSL2 and it worked. Unfortunately, this is not helpful for this proposal, it will be with the next one (changes are available from revision 08244b2bc9bbb19d417d37f6912acfebbdbf4f49 on, which is from last Friday). I’d like to emphsise again that we’re testing our build scripts on daily cadence only on Ubuntu 20.04/22.04 OS machines.